为什么将HTTPS用于Azure Blob存储

Question

I have an ASP.NET website which requires login and uses SSL on all pages to protect the user's credentials and authentication cookie. Say one page has an image element with the following src :

https://mystorageaccount.blob.core.windows.net/mycontainer/myimage.jpg?sv=...

This requests an image file from a private blob container on Azure Storage, using a time-limited Shared Access Signature. I don't particularly want this image to be intercepted. However, is there any point in using HTTPS for this request? Surely a man-in-the-middle could just use the URL themselves within the SAS timescale to receive the image anyway?

I realise that a more secure option would be to fetch the image from storage server-side, and serve it only to authenticated users, but speed is important so I'd like to avoid this. My question is, when the browser requests images from Azure Storage directly, is there any benefit in HTTPS or should I use HTTP instead?

Answer 1

With HTTPS the secure connection is done at the TCP layer before any HTTP traffic is transmitted. Only the host name and port number are submitted unsecured (since they are used to establish the TCP connection) and then once the secure connection is established then the remaining HTTP content (the path portion of the URL and any query parameters) is submitted securely over HTTPS.

This is all explained in the Wikipedia article for HTTPs - http://en.wikipedia.org/wiki/HTTPS .

Answer 2

I can definitely think of one benefit and that is avoiding Mixed Content warnings.

Also, please note that if you're serving the content from the application server by fetching it from the storage first, you'll lose CDN benefits.